Securely Configuring Service Widgets Without Exposing Secrets

Use environment variables and Kubernetes Secrets to inject sensitive data into your application.

JR

2 minute read

Use environment variables and Kubernetes Secrets to inject sensitive data into your application, keeping ConfigMaps safe for version control.

Problem Context

Storing secrets like API keys in ConfigMaps exposes them in version control and cluster logs. This is risky and violates security best practices.

Solution Workflow

  1. Create a Kubernetes Secret for sensitive data (e.g., API keys).
  2. Mount the Secret as environment variables in your pod spec.
  3. Reference environment variables in your ConfigMap using your application’s templating syntax (e.g., {{HOMEPAGE_VAR_API_KEY}}).
  4. Verify the application correctly resolves variables at runtime.

Example Secret and ConfigMap

# Secret definition (safe to commit to Git)  
apiVersion: v1  
kind: Secret  
metadata:  
  name: homepage-secrets  
type: Opaque  
data:  
  api_key: <base64-encoded-value>  

# ConfigMap with placeholders (safe to commit)  
apiVersion: v1  
kind: ConfigMap  
metadata:  
  name: homepage-config  
data:  
  config.yaml: |  
    widgets:  
      - name: weather  
        api_key: "{{HOMEPAGE_VAR_API_KEY}}"

Deployment Snippet

env:  
- name: HOMEPAGE_VAR_API_KEY  
  valueFrom:  
    secretKeyRef:  
      name: homepage-secrets  
      key: api_key

Policy Example

Enforce that all ConfigMaps referencing secrets use placeholder syntax (e.g., {{VAR_NAME}}) and that Secrets are managed separately via cluster role constraints.

Tooling

  • kubectl: Create/apply Secrets and ConfigMaps.
  • k9s: Inspect Secret and ConfigMap values in a live cluster.
  • Sealed Secrets: Encrypt Secrets for Git storage (optional, for advanced use cases).

Tradeoffs

  • Base64 encoding is not encryption: Secrets stored in etcd are encoded but not encrypted unless your cluster uses disk encryption or tools like Vault.
  • Application dependency: Your app must support environment variable templating (e.g., Homepage’s {{VAR}} syntax).

Troubleshooting

  • Env var not resolved: Check pod logs for errors like invalid environment variable name or mismatched placeholder syntax.
  • Secret not mounted: Verify secretKeyRef names and keys match exactly.
  • ConfigMap not reloaded: Some apps require a pod restart to pick up ConfigMap changes.

Prevention

  • Automate checks with CI/CD pipelines to detect secrets in ConfigMaps using tools like truffleHog or gitleaks.
  • Use OpenShift/Kubernetes RBAC to restrict Secret creation/editing to authorized users only.

By decoupling secrets from ConfigMaps and leveraging environment variables, you maintain security while keeping configuration versioned and portable.

Source thread: Is there a way to configure service widgets on my Homepage app so the ConfigMap can be committed to GitHub safely?

comments powered by Disqus